(VPN to home is not working so using web mail interface which timed out while I was composing the first answer to this message without saving the draft - maybe the repeat will make this more succinct.)
So suppose we say "AS_SETs are not in scope for this wg" So suppose a BGP route produced by AttackerBob arrives with an origin that is an AS_SET. The validation scheme does ... what? If the validation scheme says anything better than "invalid" then the attacker has a way to circumvent the origin protections. We already know that the attacker has a way to continue to produce bogus BGP routes by putting a valid origin on the end of a bogus path. In that case, the origin protections work just fine, to the limit of their abilities. It is path validation that fails. But with no way to deal with an origin that is an AS_SET, the origin protection themselves fail. In my opinion that is an important difference and therefore the issue is in the scope of the working group. The reasoning that we need not deal with AS_SETs because they are so rare is good reasoning if we were protecting AS_SET origins, i.e., we are trying to judge good valid AS_SETs from bad bogus AS_SETs. "Why protect this feature since it is so rare" is a valid statement. "Why deal with this rare input" is not a valid statement, when producing the rare input is under the control of the attacker and is an attack vector. Please note that I'm not saying we need to deal with the AS_SETs in any careful way. "DROP" is a nice simple statement about what to do with BGP routes that have AS_SET origins. That might be a bit draconian, and it would mean that some potentially valid routes might get dropped. I would say that such an outcome would be acceptable, precisely because of the rarity. The schemes some are suggesting for more care in the decision are fine too. What I see as in scope is: (a) AS_SET is a feature that is a valid input so we can't ignore it (b) whatever we do with AS_SET origins can not allow circumvention of the origin protections --Sandy, speaking as co-chair but without coordination with my co-chair -----Original Message----- From: [email protected] on behalf of Robert Kisteleki Sent: Thu 7/29/2010 4:14 AM To: [email protected] Subject: Re: [sidr] Comment about aggregators and AS_SETs On 2010.07.28. 17:54, Sandra Murphy wrote: > The problem is the possibility that not accommodating legitimate BGP updates > might result in opportunities for bad guys to get around protections. IMO that's not the problem. The problem is that we don't want to have special mechanisms for cases that occur 0.0007% (or is 0.02%?) of the time. It's like creating a special shampoo product line for albinos. No offense to albinos, but it's not really a good idea. It'll fail. [0] http://en.wikipedia.org/wiki/Albinism > So we need to have some statement of what to do with this legitimate BGP > update format. And we need some certainty that we aren't introducing > opportuntities to circumvent the protections of ordinary updates. Agree. My suggestion: these announcements are not in scope for SIDR. Robert > Protecting the AS_SETs etc is out of scope. > > --Sandy _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
_______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
